US12074908B2ActiveUtilityA1

Cyber threat deception method and system, and forwarding device

82
Assignee: HUAWEI TECH CO LTDPriority: Aug 22, 2019Filed: Jul 7, 2021Granted: Aug 27, 2024
Est. expiryAug 22, 2039(~13.1 yrs left)· nominal 20-yr term from priority
H04L 45/745H04L 63/1491H04L 63/1408H04L 2101/622H04L 61/103H04L 45/66H04L 12/4641H04L 61/2528H04L 12/4633
82
PatentIndex Score
2
Cited by
18
References
20
Claims

Abstract

This application discloses a cyber threat deception method and system, and a forwarding device. The forwarding device obtains a deception target set, where the deception target set includes a deception target, and the deception target includes an unused internet protocol (IP) address or an unopened port number on a used IP address. The forwarding device receives an IP packet from a host, and determines whether a destination party that the IP packet requests to access belongs to the deception target set. If the destination party that the IP packet requests to access belongs to the deception target set, the forwarding device sends the IP packet to a honeypot management server. The forwarding device receives a response packet, returned by the honeypot management server, of the corresponding IP packet. The forwarding device sends the response packet to the host.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A cyber threat deception method, comprising:
 obtaining, by a forwarding device, a deception target set, wherein the deception target set comprises at least one deception target, and the at least one deception target comprises an unused internet protocol (IP) address or an unopened port number on a used IP address, wherein the obtaining the deception target set comprises:
 receiving a third IP packet; 
 querying, by the forwarding device based on a destination IP address of the third IP packet, a routing table of the forwarding device for a next-hop IP address corresponding to the third IP packet; and 
 when no next-hop IP address corresponding to the third IP packet is in the routing table, adding, by the forwarding device to the deception target set, the destination IP address of the third IP packet as an unused IP address; 
 
 receiving, by the forwarding device, a first IP packet from a first host; 
 determining, by the forwarding device, whether a destination party that the first IP packet requests to access belongs to the deception target set; 
 when the destination party that the first IP packet requests to access belongs to the deception target set, sending, by the forwarding device, the first IP packet to a honeypot management server; 
 receiving, by the forwarding device, a second IP packet from the honeypot management server, wherein the second IP packet is a response packet of the first IP packet; and 
 sending, by the forwarding device, the second IP packet to the first host. 
 
     
     
       2. The method according to  claim 1 , further comprising:
 when no next-hop IP address corresponding to the third IP packet is in the routing table, sending, by the forwarding device, the third IP packet to the honeypot management server; and 
 receiving, by the forwarding device from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet. 
 
     
     
       3. The method according to  claim 1 , further comprising:
 when a next-hop IP address corresponding to the third IP packet is in the routing table, querying, by the forwarding device, an Address Resolution Protocol (ARP) table for a media access control (MAC) address corresponding to the next-hop IP address; 
 when no MAC address corresponding to the next-hop IP address is in the ARP table, determining, by the forwarding device, an online status of the destination IP address of the third IP packet based on an IP address status table, wherein the IP address status table is used to indicate online statuses one-to-one corresponding to a plurality of IP addresses within a range of at least one subnet connected to the forwarding device, and the online status is online or offline; and 
 when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, adding, by the forwarding device to the deception target set, the destination IP address of the third IP packet as an unused IP address. 
 
     
     
       4. The method according to  claim 3 , further comprising:
 when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, sending the third IP packet to the honeypot management server; and 
 receiving, from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet. 
 
     
     
       5. The method according to  claim 3 , wherein the IP address status table is obtained by performing the following steps:
 sending, by the forwarding device, an ARP request packet for each of the plurality of IP addresses within the range of the subnet connected to the forwarding device; and 
 when the forwarding device does not receive an ARP reply packet of a first IP address, adding the first IP address to the IP address status table, wherein the first IP address is an IP address of the plurality of IP addresses; and 
 setting a status of the first IP address to offline. 
 
     
     
       6. The method according to  claim 5 , further comprising: receiving, by the forwarding device, an ARP reply packet of a second IP address, wherein the second IP address is an IP address of the plurality of IP addresses;
 adding the second IP address to the IP address status table; and 
 setting a status of the second IP address to online. 
 
     
     
       7. The method according to  claim 1 , wherein the obtaining the deception target set comprises:
 receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a connection reset (RST) packet; 
 determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: 
 before the fourth IP packet is received, at least one connection establishment (SYN) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the SYN packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet is same as a source port number of the fourth IP packet; and 
 when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet. 
 
     
     
       8. The method according to  claim 1 , wherein the obtaining the deception target set comprises:
 receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a RST packet; 
 determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: 
 at least one SYN packet corresponding to the fourth IP packet is received previous to a predetermined period of time that is before the fourth IP packet is received, and one or more packets that is or that are received within the predetermined period of time and that has or that have a same source IP address and a same source port number as the fourth IP packet is or are all RST packets or internet control message protocol (ICMP) unreachable packets, wherein a destination IP address of the SYN packet corresponding to the fourth IP packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet corresponding to the fourth IP packet is same as a source port number of the fourth IP packet; and 
 when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet. 
 
     
     
       9. The method according to  claim 8  further comprising:
 when the fourth IP packet satisfies the deception condition, sending the SYN packet corresponding to the fourth IP packet to the honeypot management server; and 
 receiving, from the honeypot management server, a response packet of the SYN packet, and forwarding the response packet of the SYN packet to the first host. 
 
     
     
       10. The method according to  claim 1 , wherein the obtaining the deception target set comprises:
 receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is an ICMP unreachable packet; 
 determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: 
 before the fourth IP packet is received, at least one user datagram protocol (UDP) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the UDP packet is same as a source IP address of the fourth IP packet, and a destination port number of the UDP packet is same as a source port number of the fourth IP packet; and 
 when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet. 
 
     
     
       11. The method according to  claim 1 , further comprising:
 receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a connection establishment acknowledgment SYN-ACK packet; 
 determining, by the forwarding device, whether the deception target set comprises a to-be-deleted deception target, wherein the to-be-deleted deception target is an unopened port number on a used IP address, the used IP address is a source IP address of the fourth IP packet, and the unopened port number is a source port number of the fourth IP packet; and 
 when the deception target set comprises the to-be-deleted deception target, deleting, by the forwarding device, the to-be-deleted deception target from the deception target set. 
 
     
     
       12. The method according to  claim 1 , further comprising:
 forwarding, by the forwarding device, a domain name system (DNS) domain name request; 
 intercepting and stopping forwarding, by the forwarding device, a first DNS response packet, wherein the first DNS response packet is a response packet of the DNS domain name request, and the first DNS response packet indicates that a domain name queried by the DNS domain name request does not exist; 
 generating, by the forwarding device, a second DNS response packet, wherein the second DNS response packet comprises an IP address corresponding to the domain name queried by the DNS domain name request, and the IP address corresponding to the domain name is an unused IP address in the deception target set; and 
 sending, by the forwarding device, the second DNS response packet. 
 
     
     
       13. A forwarding device, comprising:
 a network interface; and 
 at least one processor coupled to the network interface, wherein 
 the at least one processor is configured to: 
 obtain a deception target set, wherein the deception target set comprises at least one deception target, and the at least one deception target comprises an unused internet protocol (IP) address or an unopened port number on a used IP address, wherein the network interface is configured to receive a third IP packet, and the at least one processor is configured to:
 query, based on a destination IP address of the third IP packet, a routing table of the forwarding device for a next-hop IP address corresponding to the third IP packet; and 
 when no next-hop IP address corresponding to the third IP packet is in the routing table, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address; 
 
 the network interface is configured to receive a first IP packet from a first host; 
 the at least one processor is further configured to determine whether a destination party that the first IP packet requests to access belongs to the deception target set; and 
 the network interface is configured to: 
 when the destination party that the first IP packet requests to access belongs to the deception target set, send the first IP packet to a honeypot management server; 
 receive a second IP packet from the honeypot management server, wherein the second IP packet is a response packet of the first IP packet; and 
 send the second IP packet to the first host. 
 
     
     
       14. The forwarding device according to  claim 13 , wherein
 the at least one processor is further configured to: 
 when a next-hop IP address corresponding to the third IP packet is in the routing table, query, an Address Resolution Protocol (ARP) table for a media access control (MAC) address corresponding to the next-hop IP address; 
 when no MAC address corresponding to the next-hop IP address is in the ARP table, determine an online status of the destination IP address of the third IP packet based on an IP address status table, wherein the IP address status table is used to indicate online statuses one-to-one corresponding to a plurality of IP addresses within a range of at least one subnet connected to the forwarding device, and the online status is online or offline; and 
 when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address. 
 
     
     
       15. The forwarding device according to  claim 13 , wherein
 the network interface is further configured to: 
 receive a fourth IP packet, wherein the fourth IP packet is a connection reset RST packet; and 
 the at least one processor is further configured to determine whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: 
 before the fourth IP packet is received, at least one connection establishment (SYN) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the SYN packet corresponding to the fourth IP packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet corresponding to the fourth IP packet is same as a source port number of the fourth IP packet; and, 
 when the fourth IP packet satisfies the deception condition, add, to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet. 
 
     
     
       16. The forwarding device according to  claim 13 , wherein the network interface is further configured to:
 receive a fourth IP packet, wherein the fourth IP packet is an internet control message protocol (ICMP) unreachable packet; and 
 the at least one processor is further configured to determine whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: 
 before the fourth IP packet is received, at least one user datagram protocol (UDP) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the UDP packet corresponding to the fourth IP packet is the same as a source IP address of the fourth IP packet, and a destination port number of the UDP packet corresponding to the fourth IP packet is same as a source port number of the fourth IP packet, and 
 wherein the at least one processor is configured to, when the fourth IP packet satisfies the deception condition, add, to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet. 
 
     
     
       17. The forwarding device according to  claim 13 , wherein the network interface is further configured to:
 forward a DNS domain name request; 
 intercept and stop forwarding a first DNS response packet, wherein the first DNS response packet is a response packet of the DNS domain name request, and the first DNS response packet indicates that a domain name queried by the DNS domain name request does not exist, 
 wherein the at least one processor is further configured to generate a second DNS response packet, wherein the second DNS response packet comprises an IP address corresponding to the domain name queried by the DNS domain name request, and the IP address corresponding to the domain name is an unused IP address in the deception target set, and 
 wherein the network interface is further configured to send the second DNS response packet. 
 
     
     
       18. A cyber threat deception system, comprising:
 a honeypot management server; and 
 at least one forwarding device coupled to the honeypot management server, 
 wherein the at least one forwarding device is configured to 
 obtain a deception target set, wherein the deception target set comprises at least one deception target, and the at least one deception target comprises an unused internet protocol (IP) address or an unopened port number on a used IP address, wherein the at least one forwarding device is configured to:
 receive a third IP packet; 
 query, based on a destination IP address of the third IP packet, a routing table of the at least one forwarding device for a next-hop IP address corresponding to the third IP packet; and 
 when no next-hop IP address corresponding to the third IP packet is in the routing table, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address; 
 
 receive a first IP packet from a first host; 
 determine whether a destination party that the first IP packet requests to access belongs to the deception target set; 
 when the destination party that the first IP packet requests to access belongs to the deception target set, send the first IP packet to a honeypot management server; 
 receive a second IP packet returned by the honeypot management server, wherein the second IP packet is a response packet of the first IP packet; and 
 send the second IP packet to the first host. 
 
     
     
       19. The cyber threat deception system according to  claim 18 , wherein the at least one forwarding device is configured to:
 when no next-hop IP address corresponding to the third IP packet is in the routing table, send the third IP packet to the honeypot management server; and 
 receive, from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet. 
 
     
     
       20. The cyber threat deception system according to  claim 18 , wherein the at least one forwarding device is configured to:
 when a next-hop IP address corresponding to the third IP packet is in the routing table, query an Address Resolution Protocol (ARP) table for a media access control (MAC) address corresponding to the next-hop IP address; 
 when no MAC address corresponding to the next-hop IP address is in the ARP table, determine an online status of the destination IP address of the third IP packet based on an IP address status table, wherein the IP address status table is used to indicate online statuses one-to-one corresponding to a plurality of IP addresses within a range of at least one subnet connected to the at least one forwarding device, and the online status is online or offline; and 
 when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.